Using Pre-Shared Keys

Pre-shared keys or username/password is an alternative way to using certificates with the ISE pxGrid node. The password between the client and the ISE pxGrid node is encrypted.

You must first create the account and have it approved by the admin. You can read about this more by visiting: pxGrid account authentication

When implementing pre-shared keys, you must have the trusted root certificate installed in the trusted certificate store. In the example that follows we have converted into the trusted keystore filename (.jks).

In the screenshot below, Chrome POSTMAN is used to create the pxGrid client account. There is no authorization header.

In the example below, PasswordAuth is the pxGrid client name that is created.

You will see the generated username and password.

The account be in a pending state until the admin approves account.

When you go to to ISE, Select Administration->pxGrid Services you will see the registered client.

In the example below, we run a session subscribe java example

You will include the username or pxGrid client name denoted by -u PasswordAuth and the password denoted by -x YKSlXrVwB8Yvngy as the arguments when you run the code.

Note the trusted keystore filename is defined and denoted by -t and associated password is also defined as denoted by -q

Below is the output of the code

------ config ------
  hostname = ise24fc3.lab10.com
  nodename = PasswordAuth
  password = YKSlXraVwB8YvngY
  description = (not specified)
  keystorefilename = (not specified)
  keystorepassword = (not specified)
  truststorefilename = /Applications/sdk24/pxgrid-sdk-2.0.0.14/samples/bin/sdk24root.jks
  truststorepassword = Cisco123
--------------------
11:22:14.258 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate request={}
11:22:15.068 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate response={"accountState":"PENDING","version":"2.0.0.13"}
11:23:15.072 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate request={}
11:23:15.086 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate response={"accountState":"PENDING","version":"2.0.0.13"}
11:24:15.096 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate request={}
11:24:15.121 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate response={"accountState":"PENDING","version":"2.0.0.13"}
11:25:15.123 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate request={}
11:25:15.139 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate response={"accountState":"PENDING","version":"2.0.0.13"}
11:26:15.142 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate request={}
11:26:15.158 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate response={"accountState":"ENABLED","version":"2.0.0.13"}
11:26:15.158 [main] INFO com.cisco.pxgrid.samples.ise.SessionSubscribePasswordAuth - pxGrid controller version=2.0.0.13
11:26:15.183 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - ServiceLookup request={"name":"com.cisco.ise.session"}
11:26:15.213 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - ServiceLookup response={"services":[{"name":"com.cisco.ise.session","nodeName":"ise-mnt-ise24fc3","properties":{"sessionTopic":"/topic/com.cisco.ise.session","groupTopic":"/topic/com.cisco.ise.session.group","wsPubsubService":"com.cisco.ise.pubsub","restBaseURL":"https://ise24fc3.lab10.com:8910/pxgrid/mnt/sd","restBaseUrl":"https://ise24fc3.lab10.com:8910/pxgrid/mnt/sd"}}]}
11:26:15.213 [main] INFO com.cisco.pxgrid.samples.ise.SessionSubscribePasswordAuth - wsPubsubServiceName=com.cisco.ise.pubsub sessionTopic=/topic/com.cisco.ise.session
11:26:15.213 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - ServiceLookup request={"name":"com.cisco.ise.pubsub"}
11:26:15.228 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - ServiceLookup response={"services":[{"name":"com.cisco.ise.pubsub","nodeName":"ise-pubsub-ise24fc3","properties":{"wsUrl":"wss://ise24fc3.lab10.com:8910/pxgrid/ise/pubsub"}}]}
11:26:15.228 [main] INFO com.cisco.pxgrid.samples.ise.SessionSubscribePasswordAuth - wsUrl=wss://ise24fc3.lab10.com:8910/pxgrid/ise/pubsub
11:26:15.230 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccessSecret request={"peerNodeName":"ise-pubsub-ise24fc3"}
11:26:15.417 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccessSecret response={"secret":"Sa4qTVyV77pJzY8S"}
11:26:18.181 [Grizzly(1)] INFO com.cisco.pxgrid.samples.ise.StompPubsubClientEndpoint - WS onOpen
11:26:18.276 [main] INFO com.cisco.pxgrid.samples.ise.StompPubsubClientEndpoint - STOMP CONNECT host=ise24fc3.lab10.com
11:26:18.333 [main] INFO com.cisco.pxgrid.samples.ise.StompPubsubClientEndpoint - STOMP SUBSCRIBE topic=/topic/com.cisco.ise.session
11:26:18.347 [Grizzly(2)] INFO com.cisco.pxgrid.samples.ise.StompPubsubClientEndpoint - STOMP CONNECTED version=1.2
press <enter> to disconnect...

(new session once approved….)

1:26:18.333 [main] INFO com.cisco.pxgrid.samples.ise.StompPubsubClientEndpoint - STOMP SUBSCRIBE topic=/topic/com.cisco.ise.session
11:26:18.347 [Grizzly(2)] INFO com.cisco.pxgrid.samples.ise.StompPubsubClientEndpoint - STOMP CONNECTED version=1.2
press <enter> to disconnect...
11:29:13.313 [Grizzly(1)] INFO com.cisco.pxgrid.samples.ise.SessionSubscribePasswordAuth - Content={"sessions":[{"timestamp":"2018-09-16T15:29:12Z","state":"DISCONNECTED","userName":"pxgrid5","callingStationId":"00:0C:29:01:5D:E8","calledStationId":"50:3D:E5:C4:05:8E","auditSessionId":"0A00000100000062010F397D","ipAddresses":["10.0.0.17"],"macAddress":"00:0C:29:01:5D:E8","nasIpAddress":"192.168.1.3","nasPortId":"GigabitEthernet1/0/14","nasPortType":"Ethernet","endpointProfile":"Unknown","endpointOperatingSystem":"Windows 7 Professional","ctsSecurityGroup":"IOT_Devices","adNormalizedUser":"pxgrid5","adUserDomainName":"lab10.com","adUserNetBiosName":"LAB10","adUserResolvedIdentities":"pxgrid5@lab10.com","adUserResolvedDns":"CN\u003dpxgrid5,CN\u003dUsers,DC\u003dlab10,DC\u003dcom","providers":["None"],"endpointCheckResult":"none","identitySourcePortStart":0,"identitySourcePortEnd":0,"identitySourcePortFirst":0,"isMachineAuthentication":"false","serviceType":"Framed","networkDeviceProfileName":"Cisco","radiusFlowType":"Wired802_1x","ssid":"50-3D-E5-C4-05-8E","mdmRegistered":false,"mdmCompliant":false,"mdmDiskEncrypted":false,"mdmJailBroken":false,"mdmPinLocked":false},{"timestamp":"2018-09-16T15:29:12Z","state":"DISCONNECTED","userName":"74:26:AC:5A:82:26","callingStationId":"74:26:AC:5A:82:26","calledStationId":"50:3D:E5:C4:05:93","auditSessionId":"0A0000010000004A00F11FD5","ipAddresses":["192.168.1.43"],"macAddress":"74:26:AC:5A:82:26","nasIpAddress":"192.168.1.3","nasPortId":"GigabitEthernet1/0/19","nasPortType":"Ethernet","endpointProfile":"Cisco-Device","endpointOperatingSystem":"VMware ESXi 6.0.0 (accuracy 96%)","adNormalizedUser":"74:26:AC:5A:82:26","providers":["None"],"endpointCheckResult":"none","identitySourcePortStart":0,"identitySourcePortEnd":0,"identitySourcePortFirst":0,"serviceType":"Framed","networkDeviceProfileName":"Cisco","radiusFlowType":"WiredMAB","ssid":"50-3D-E5-C4-05-93","mdmRegistered":false,"mdmCompliant":false,"mdmDiskEncrypted":false,"mdmJailBroken":false,"mdmPinLocked":false}]}

When we go to ISE, select Administration->pxGrid Services->Web Clients, we see the pxGrid client subscribed to the session topic